When law-enforcement depends on cyber-insecurity, we're all at risk

It's not enough to pass rules limiting use of "stingray" mobile-phone surveillance devices by civilians: for so long as cops depend on these devices, the vulnerabilities they exploit will not be fixed, leaving us all at risk.

Stephanie Pell's Wired op-ed concisely makes the important point that the development of offensive "cybersecurity" measures, like tools that weaponize vulnerabilities in our commonly used technology, comes at the expense of the far more important defensive measures, like fixing those vulnerabilities so that foreign spies, crooks, voyeurs, and other creeps can't use them to attack the guilty and innocent alike.

It's part of the argument I make in The Coming War Over General Purpose Computers: if you set out to secure society by making computers that disobey and trick their (potentially evil) owners, then you also end up designing computers that bad guys can take over and use to attack everyone, because once you get into the control structures of those systems, their owners have no way to monitor them or turn them off.

With the democratization and globalization of this surveillance tool, Chairman Wheeler is right to be concerned about the unlawful use of IMSI catchers by criminals and foreign spies in the United States. In stopping there, however, the FCC letter fails to acknowledge or address a more fundamental issue: IMSI catchers, whether employed illegally by criminals or legally by U.S. law enforcement, function by exploiting long-standing cyber security vulnerabilities in our cellular networks. Any genuine solution to the “illicit” IMSI catcher problem must address the continuing presence of network vulnerabilities that are exploitable by anyone who possesses this widely available surveillance technology.

One consequence of securing our national telephone networks from rogue IMSI catchers, however, is that doing so will render it more difficult for law enforcement to monitor targets’ cell phones with their own IMSI catchers. That is, by protecting our phone networks from illegal surveillance, it will also become more difficult for U.S. government agencies to engage in certain kinds of lawful surveillance.

Policymakers seeking to address the illicit IMSI catcher problem must therefore grapple with the inherent tension between court-approved use of certain surveillance technologies and the contemporary effort to harden our communications networks against a broad spectrum of cyber threats. Given the serious cyber threats our country faces, the surveillance benefits realized by law enforcement through the use of IMSI catchers can no longer justify ignoring the cyber security weaknesses in our communications networks that enable their operation. Indeed, policymakers should take a dim view of any aspects of national surveillance policy and practice that rely upon perpetual network vulnerabilities. Such vulnerabilities no longer represent exclusive opportunities for effective surveillance by law enforcement and intelligence agencies since their operational hegemony in this area has long since been lost. Rather, these security flaws constitute an increasing risk to privacy and public safety that should become the subject of a full and open policy discussion of the kind the FCC’s new task force will presumably conduct.